From 2330ea9d0ecd3f3a9d59afb4bbf23116932e345f Mon Sep 17 00:00:00 2001
From: Foster McLane <fkmclane@gmail.com>
Date: Thu, 1 Mar 2018 19:34:12 -0500
Subject: [PATCH] add empty running executable

---
 disaster/linux.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/disaster/linux.md b/disaster/linux.md
index 9e8f6d6..0561d33 100644
--- a/disaster/linux.md
+++ b/disaster/linux.md
@@ -1,6 +1,14 @@
 ## Linux
 
-Here are some of the worst things that they can do, and how to hopefully recover.
+Here are some of the worst things that the red team can do and how to hopefully recover.
+
+
+### Empty Running Executable
+
+If your interpreter or other running executable is an empty file, you can grab the binary from memory.
+
+1. Find a PID of the process (e.g. `bash`) - `pgrep <process name>`
+2. Copy the EXE to the location (e.g. `/bin/bash`) - `cp -f /proc/<pid>/exe <location>`
 
 
 ### Invalid Password